Share via

Pending registration information popup even though SSPR registration is completed

Jose 20 Reputation points
2023-06-22T13:16:23.7066667+00:00

Hi,

For some unknown reason, for some users, while opening our Outlook 2016 client, there is a SSPR registration request pops up even though this user already appears as "SSPR capable" in the 'User Registration Details'. We recently implemented Azure MFA for our Exchange 2016 on-premises. But no conditional access policy is hit as our public IPs are registered as trusted locations. The registration pop-up is requested by SSPR. Looking at the logs I found the following explanation 'User authentication was blocked because they need to provide password reset information. Their next interactive sign-in will ask them for this, which the app should trigger next.'. In my eyes, these messages should not appear as long as the user is already "SSPR capable".

This request becomes a big issue in our environment because the users are in a restricted area where mobile phones are prohibited.

As I said, no conditional access policies are hit, we have excluded the trusted locations in all policies. It seems like there is something related to SSPR which does not detect the 'SSPR capability' of the user.

Any idea to prevent that popup to appear?

thanks

Outlook
Outlook
A family of Microsoft email and calendar products.
3,724 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,606 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,449 questions
0 comments
Accepted answer
  1. JamesTran-MSFT 36,606 Reputation points Microsoft Employee
    2023-06-22T22:04:11.8+00:00

    @Jose

    Thank you for your detailed post!

    I understand that when users open the Outlook 2016 client there's an SSPR registration page that comes up for some, even though they're showing as SSPR capable within the User Registration Details pages. You recently set-up Azure MFA for Exchange 2016 on-prem, and your Conditional Access policies aren't initiating this pop-up since your public IPs are trusted locations. To help point you in the right direction or hopefully resolve your issue, I'll share my findings below.

    Error Message:

    User authentication was blocked because they need to provide password reset information. Their next interactive sign-in will ask them for this, which the app should trigger next.

    Findings:

    When it comes to user's being SSPR Capable, this indicates the users with enough registered authentication methods to meet your organization’s SSPR policy and enabled by policy to perform SSPR. If your users are showing as SSPR Capable within the User registration details, and have completed all the required registration steps, I agree that they shouldn't be receiving the SSPR prompt.

    To further understand and troubleshoot your issue since this is only affecting some users:

    1. For the users that have completed the SSPR registration again, what happened afterwards?
    2. When it comes to your Conditional Access Policy, can you see if you ever enabled the "Register security information" setting? Since this could possible be causing an SSPR refresh enforced Interrupt mode. For more info.
    3. Did you enable the Reconfirm authentication information setting, which will require users to confirm their registered information after a certain period of time?

    User's image

    Similar issue:

    I hope this helps!

    If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.